Author: markt
Date: Fri Jun 23 21:14:43 2017
New Revision: 1799704
URL: http://svn.apache.org/viewvc?rev=1799704&view=rev
Log:
When the access log valve logs a TLS related request attribute and the NIO2
connector is used with OpenSSL, ensure that the TLS attributes are available to
the access log valve when the connection is closing.
Added:
tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java (with props)
Modified:
tomcat/trunk/java/org/apache/catalina/connector/Request.java
tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1799704&r1=1799703&r2=1799704&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Fri Jun 23
21:14:43 2017
@@ -85,6 +85,7 @@ import org.apache.catalina.core.AsyncCon
import org.apache.catalina.mapper.MappingData;
import org.apache.catalina.util.ParameterMap;
import org.apache.catalina.util.RequestUtil;
+import org.apache.catalina.util.TLSUtil;
import org.apache.catalina.util.URLEncoder;
import org.apache.coyote.ActionCode;
import org.apache.coyote.UpgradeToken;
@@ -855,48 +856,46 @@ public class Request implements HttpServ
*/
@Override
public Object getAttribute(String name) {
-
// Special attributes
SpecialAttributeAdapter adapter = specialAttributes.get(name);
if (adapter != null) {
return adapter.get(this, name);
}
- Object attr=attributes.get(name);
+ Object attr = attributes.get(name);
- if(attr!=null) {
+ if (attr != null) {
return attr;
}
- attr = coyoteRequest.getAttribute(name);
- if(attr != null) {
+ attr = coyoteRequest.getAttribute(name);
+ if (attr != null) {
return attr;
}
- if( isSSLAttribute(name) ||
name.equals(SSLSupport.PROTOCOL_VERSION_KEY)) {
- coyoteRequest.action(ActionCode.REQ_SSL_ATTRIBUTE,
- coyoteRequest);
+ if (TLSUtil.isTLSRequestAttribute(name)) {
+ coyoteRequest.action(ActionCode.REQ_SSL_ATTRIBUTE, coyoteRequest);
attr = coyoteRequest.getAttribute(Globals.CERTIFICATES_ATTR);
- if( attr != null) {
+ if (attr != null) {
attributes.put(Globals.CERTIFICATES_ATTR, attr);
}
attr = coyoteRequest.getAttribute(Globals.CIPHER_SUITE_ATTR);
- if(attr != null) {
+ if (attr != null) {
attributes.put(Globals.CIPHER_SUITE_ATTR, attr);
}
attr = coyoteRequest.getAttribute(Globals.KEY_SIZE_ATTR);
- if(attr != null) {
+ if (attr != null) {
attributes.put(Globals.KEY_SIZE_ATTR, attr);
}
attr = coyoteRequest.getAttribute(Globals.SSL_SESSION_ID_ATTR);
- if(attr != null) {
+ if (attr != null) {
attributes.put(Globals.SSL_SESSION_ID_ATTR, attr);
}
attr = coyoteRequest.getAttribute(Globals.SSL_SESSION_MGR_ATTR);
- if(attr != null) {
+ if (attr != null) {
attributes.put(Globals.SSL_SESSION_MGR_ATTR, attr);
}
attr = coyoteRequest.getAttribute(SSLSupport.PROTOCOL_VERSION_KEY);
- if(attr != null) {
+ if (attr != null) {
attributes.put(SSLSupport.PROTOCOL_VERSION_KEY, attr);
}
attr = attributes.get(name);
@@ -911,18 +910,6 @@ public class Request implements HttpServ
return coyoteRequest.getContentLengthLong();
}
- /**
- * Test if a given name is one of the special Servlet-spec SSL attributes.
- *
- * @return <code>true</code> if this is a special SSL attribute
- */
- static boolean isSSLAttribute(String name) {
- return Globals.CERTIFICATES_ATTR.equals(name) ||
- Globals.CIPHER_SUITE_ATTR.equals(name) ||
- Globals.KEY_SIZE_ATTR.equals(name) ||
- Globals.SSL_SESSION_ID_ATTR.equals(name) ||
- Globals.SSL_SESSION_MGR_ATTR.equals(name);
- }
/**
* Return the names of all request attributes for this Request, or an
Added: tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java?rev=1799704&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java (added)
+++ tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java Fri Jun 23 21:14:43
2017
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.util;
+
+import org.apache.catalina.Globals;
+import org.apache.tomcat.util.net.SSLSupport;
+
+public class TLSUtil {
+
+ /**
+ * Determines if the named request attribute is used to pass information
+ * about the TLS configuration of the connection to the application. Both
+ * the standard request attributes defined by the Servlet specification and
+ * Tomcat specific attributes are supported.
+ *
+ * @param name The attribute name to test
+ *
+ * @return {@code true} if the attribute is used to pass TLS configuration
+ * information, otherwise {@code false}
+ */
+ public static boolean isTLSRequestAttribute(String name) {
+ return Globals.CERTIFICATES_ATTR.equals(name) ||
+ Globals.CIPHER_SUITE_ATTR.equals(name) ||
+ Globals.KEY_SIZE_ATTR.equals(name) ||
+ Globals.SSL_SESSION_ID_ATTR.equals(name) ||
+ Globals.SSL_SESSION_MGR_ATTR.equals(name) ||
+ SSLSupport.PROTOCOL_VERSION_KEY.equals(name);
+ }
+}
Propchange: tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified:
tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java?rev=1799704&r1=1799703&r2=1799704&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java
Fri Jun 23 21:14:43 2017
@@ -42,6 +42,7 @@ import org.apache.catalina.LifecycleStat
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
+import org.apache.catalina.util.TLSUtil;
import org.apache.coyote.RequestInfo;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -460,6 +461,12 @@ public abstract class AbstractAccessLogV
*/
private int maxLogMessageBufferSize = 256;
+ /**
+ * Does the configured log pattern include a known TLS attribute?
+ */
+ private boolean tlsAttributeRequired = false;
+
+
// ------------------------------------------------------------- Properties
/**
@@ -622,6 +629,14 @@ public abstract class AbstractAccessLogV
@Override
public void invoke(Request request, Response response) throws IOException,
ServletException {
+ if (tlsAttributeRequired) {
+ // The log pattern uses TLS attributes. Ensure these are populated
+ // before the request is processed because with NIO2 it is possible
+ // for the connection to be closed (and the TLS info lost) before
+ // the access log requests the TLS info. Requesting it now causes
it
+ // to be cached in the request.
+ request.getAttribute(Globals.CERTIFICATES_ATTR);
+ }
getNext().invoke(request, response);
}
@@ -1559,6 +1574,9 @@ public abstract class AbstractAccessLogV
case 'p':
return new PortElement(name);
case 'r':
+ if (TLSUtil.isTLSRequestAttribute(name)) {
+ tlsAttributeRequired = true;
+ }
return new RequestAttributeElement(name);
case 's':
return new SessionAttributeElement(name);
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1799704&r1=1799703&r2=1799704&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Jun 23 21:14:43 2017
@@ -61,6 +61,12 @@
OpenSSL based TLS session since this is expected when session tickets
are enabled. (markt)
</fix>
+ <fix>
+ When the access log valve logs a TLS related request attribute and the
+ NIO2 connector is used with OpenSSL, ensure that the TLS attributes are
+ available to the access log valve when the connection is closing.
+ (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Tribes">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
